Three Random Words 'Best Password Strategy'

John Lister's picture

A government agency says three "random" words make for a better password than many other approaches. It says other strategies such as adding symbols and numbers can be counterproductive.

The advice comes from the National Cyber Security Center (NCSC). That's a body in the United Kingdom that deals with major security breaches and gives advice to businesses and other government organizations.

According to the NCSC, the advice is aimed at people who try to remember passwords. It says password manager tools are a good solution but remain widely unused. (Source:

Predictable Appr0@ch!

The NCSC says that websites and employers who try to enforce complexity requirements (and those who make users change passwords regularly) may be doing more harm than good. That's because the ways users try to meet these requirements while still remembering a password are highly predictable.

Examples include simply adding the same digits to the end of a word each time, always using an exclamation point where a symbol is required, and changing the letter O to a zero or the letter A to an @ sign. Such passwords create a false sense of security because they meet the requirements. (Source:

The NCSC instead says choosing a string of three words is a better approach. This is partly a practical issue: it's easily understandable and the approach's "power is in its usability, because security that's not usable doesn't work."

Dictionary Attacks Diminished

Another benefit is that using three words will make for a longer password and be more likely to meet minimum length requirements. That's better than more predictable ways of stretching out a single word password to just hit the minimum.

Finally, the NCSC says that even though the approach uses dictionary words, it's much harder to guess through a dictionary attack. That's where hackers simply run through a list of common words to try to find a password. That tactic would take dramatically longer to not only find the right combination of three words but also the correct order.

The advice notes that getting users to change their approach is only one side of the solution. It repeats the benefits of password managers and also suggests sites and employers should use a "password deny" list that stops users choosing a predictable password.

What's Your Opinion?

Is this good advice? What tactics do you use for passwords? Should official advice put even more emphasis on tools such as password managers?

Rate this article: 
Average: 4.6 (16 votes)


bcorsale's picture

I would love to have three random words as the criteria. However, most sites want a combination of letters, numbers, and symbols which makes using only words very difficult, unless you substitute numbers &/or symbols for certain letters.